Starting On Windows: PMA

When I was getting started I was told to read Practical Malware Analysis from No Starch Press.  I can’t recommend the book enough.  As far as prerequisites go I was fine with a basic understanding of programming and how computers work.  You may have to learn some additional things along the way but it’s a very good first introduction in my limited opinion.  As a bonus a copy was available through my library system.

Another valuable resource available online is the RPISEC Malware course on Github.  It has a good list of tools that will be handy while going through PMA with links.  It also has course notes available as well.

Getting Started:

The first practical thing that I learned was to use a virtual machine and have a snapshot saved with it fully set up.  It’s easy to say that you won’t do anything foolish but I learned quickly that accidentally double clicking something is easier to do than you may realize.  For just messing around I will disable file sharing and network connections to the VM as well.  This may be overkill but better safe than sorry.

Practical Malware Analysis deals with Windows, which makes sense because of the number of computers running on Windows.  I find this to be a good thing because I took a break from Windows for a long time.  So going through the projects got me back to using Windows and getting familiar with it.

The first thing the chapter one labs tell you to do is to go and upload the .exe files to VirustTotal.  That was a pretty fun thing to do but I’m not going to go through it here.  I doubt anyone wants to read a writeup on uploading a file to a website.

Strings:

I ran the program through the strings.exe program from SysInternals from MS.  lab1-1strings

We can gain some understanding of the functionality of the executable by going through all of the functions listed in the strings output.  But there are two interesting things here.  Notice kerne132.dll and C:\windows\system32\kerne132.dll.  Just for fun the WARNING_THIS_WILL_DESTROY_YOUR_MACHINE made me want to dig into the executable as well.

If we navigate to the C: directory and execute dir we see that there is no C:\windows\system32\kerne132.dll directory.  My guess is that this is where the malicious install or data storage will occur if the executable were to be run.

Finding Functionality:

Out of curiosity I decided to open this executable in IDA (free version) to find out what happens with this directory.  All it took was searching the string and searching where the call was referenced.  This took me to the following piece of code:

lab1-1ida1

Lets take a look at this piece of code.  We can be reasonably sure that its purpose is to copy Lab01-01.dll into C:\windows\system32\kerne132.dll.  A quick jump to MSDN documentation for CopyFileA gives us the information we need.  Notice the three arguments pushed onto the stack in reverse order right before the function call.  The 0 informing the function to not overwrite if the file exists, the target file, and then finally the source file.

Indicator:

This gives us a pretty nice indicator of if a machine has been infected or not.  If the C:\windows\system32\kerne132.dll file exists on a machine then it’s possible this piece of malware has been there.  I say possible because it’s also possible that other malware exists that will create the same directory.  We could be certain by seeing if the contents match Lab01-01.dll.

Fun:

Because I had a snapshot taken of my vm before I started analyzing this executable I decided it would be fun to see what happens when executing this particular piece of malware.

In my case nothing happened.  I got a dialogue box that appeared and disappeared before I was able to determine anything about it.  When I checked my C: directory it was unchanged.  When I conducted a file search it also came up empty.  My vm is running a copy 32-bit Windows 10 so this particular malware may not be able to do anything on to it. In the name of being careful I rolled the vm back to the snapshot anyway.

Conclusion:

I find the labs in PMA fun.  There’s a lot of good hands on experience there.  If you want to find detailed answers to the questions for the labs they are in the back of the book.  I had fun playing around with this piece of malware and decided to write up a little extra bit that wasn’t included in the book.   Hope it was helpful.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s